WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 283262
283277
WebAssembly assertion failed in parseExpression
https://bugs.webkit.org/show_bug.cgi?id=283277
Summary
WebAssembly assertion failed in parseExpression
linjy01
Reported
2024-11-17 21:16:06 PST
Created
attachment 473254
[details]
standalone runnable poc WebKit commit id: 1a9adbce1d3fbd78795e86aad2c57ce384e31168 (Nov 16 2024) # POC (short version): ``` load("test/mjsunit/wasm/wasm-module-builder.js"); const builder = new WasmModuleBuilder(); builder.addType(kSig_i_iii); builder.addType(makeSig([], [kWasmF64,kWasmF64])); for (let i = 0; i < 100; i++) { builder.addType(makeSig([], [])); } const sig = builder.addType(kSig_i_iii); const v121 = builder.nextTypeIndex(); builder.addType(makeSig([], [])); builder.addType(makeSig([], [])); const v133 = builder.nextTypeIndex(); const v134 = [v133,v133,v133,v133]; builder.addType(makeSig(v134, [])); const func = builder.addFunction("func", v121); const function_body = [kExprRefNull,kFuncRefCode,kGCPrefix,kExprRefCastNull,v133]; func.addBody(function_body); builder.instantiate(); ``` The attachment is a longer and standalone POC that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). # Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS=' -O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc_withbuilder.js` # Output: ``` SHOULD NEVER BE REACHED ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h(2714) : JSC::Wasm::ParserBase::PartialResult JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() [Context = JSC::Wasm::LLIntGenerator] 1 0x55ce66db604d ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x252704d) [0x55ce66db604d] 2 0x55ce66d8e66b ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24ff66b) [0x55ce66d8e66b] 3 0x55ce66d1266c ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248366c) [0x55ce66d1266c] 4 0x55ce66d1159f ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248259f) [0x55ce66d1159f] 5 0x55ce66d2f920 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24a0920) [0x55ce66d2f920] 6 0x55ce66c922dd ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24032dd) [0x55ce66c922dd] 7 0x55ce66f7e771 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x26ef771) [0x55ce66f7e771] 8 0x55ce670c9964 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x283a964) [0x55ce670c9964] 9 0x55ce670e94da ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x285a4da) [0x55ce670e94da] 10 0x55ce67174d36 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x28e5d36) [0x55ce67174d36] 11 0x7f12936aeac3 /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f12936aeac3] 12 0x7f1293740850 /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7f1293740850] Aborted (core dumped) ``` # GDB backtrace: ``` #2 __GI___pthread_kill (threadid=140735935108672, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555639304a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x0000555557a7b062 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa36b1180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2714 #7 0x0000555557a5366b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa36b1180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:534 #8 0x00005555579d766c in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa36b1180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:487 #9 0x00005555579d659f in JSC::Wasm::parseAndCompileBytecode (function=..., signature=..., info=..., functionIndex=functionIndex@entry=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:634 #10 0x00005555579f4920 in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffeb04b5a0, functionIndex=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:105 #11 0x00005555579572dd in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffeb04b5a0, effort=JSC::Wasm::Plan::Partial) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218 #12 0x0000555557c43771 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb175670) at ./WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108 #13 0x0000555557d8e964 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/AutomaticThread.cpp:225 #14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:53 #15 0x0000555557dae4da in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:82 #16 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at ./WebKit/Source/WTF/wtf/Threading.cpp:265 ```
Attachments
standalone runnable poc
(73.69 KB, text/javascript)
2024-11-17 21:16 PST
,
linjy01
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-11-24 21:17:14 PST
<
rdar://problem/140524325
>
Yusuke Suzuki
Comment 2
2024-11-25 11:04:54 PST
Thanks. This is dupe of
bug 283262
Yusuke Suzuki
Comment 3
2024-11-25 11:05:25 PST
*** This bug has been marked as a duplicate of
bug 283262
***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug